Re: SSH / SSL, tunneling, etc (Re: builtin httpd)

On Jun 22, 2011, at 3:44 PM, Magnus Eriksson wrote:
> On Wed, 22 Jun 2011, Chuck Swiger wrote:
>> You could start with plug-gw from the TIS FWTK. Of course, if the local
>> firewall was doing it's job, it would already be forcing HTTP and HTTPS
>> through an HTTP-aware proxy which would block attempts to put other
>> protocols like SSH through.
>
> Hmm. You're right, with the minor modification that it'd have to be an HTTP
> and SSL-aware proxy, since as I understand it HTTPS completely wraps HTTP,
> and you'd only see the SSL handshake.
It depends on how the proxy is implemented, but things implementing TLS can
request that a proxy upgrade a plaintext HTTP request to SSL, much as SMTP
supports STARTTLS. Otherwise, the browser client needs to know enough about
the proxy to tell it to use CONNECT to get out to the SSL port of the
destination...but, unless the proxy is told to restrict valid destination
ports, you can use CONNECT to proxy to any destination.
http://www.ietf.org/rfc/rfc2817.txt
> But if one were to wrap an SSH connection inside SSL instead, AFAIK there is
> no trivial way of spotting that, short of man-in-the-middle'ing all SSL
> connections. (Which can be done too, of course.)
Yes, some proxies implement their own CA, and if the client boxes are setup to
trust that CA cert, the proxy will generate certs to implement the MITM; for
example:
http://crypto.stanford.edu/ssl-mitm/
Regards,
--
-Chuck